Hacker News new | ask | show | jobs
by simonw 452 days ago
The vulnerability can be understood through this code snippet:

  const subreq = params.request.headers['x-middleware-subrequest'];
  const subrequests = typeof subreq === 'string' ? subreq.split(':') : [];
  // ...
  for (const middleware of this.middleware || []) {
    // ...
    if (subrequests.includes(middlewareInfo.name)) {
      result = {
        response: NextResponse.next(),
        waitUntil: Promise.resolve(),
      };
      continue;
    }
  }
Pass an x-middleware-subrequest HTTP header with a colon-separated list of middleware names to skip.

https://github.com/vercel/next.js/blob/v12.0.7/packages/next...
1 comments
solid_fuel 450 days ago
What would this feature ever be used for? I'm surprised such a thing exists, instead of simply defining a different set of routes for a different set of middleware
link